ID: 32950 User updated by: kameshj at fastmail dot fm Reported By: kameshj at fastmail dot fm -Status: Feedback +Status: Open Bug Type: mbstring related Operating System: All PHP Version: 5.0.4 New Comment:
Sorry my mistake. In out build system we accidentally used -DSMART_STR_USE_REALLOC=1 because of that realloc is used for allocation. zval_ptr_dtor calles efree on a non erealloced pointer. After removal it works fine. Previous Comments: ------------------------------------------------------------------------ [2005-05-05 19:50:54] [EMAIL PROTECTED] That's not quite the case. smart_str actually uses emalloc() unless the macros are of the *_ex family and true is given to "what" parameter. Could you give me any backtrace to see what was going on? ------------------------------------------------------------------------ [2005-05-05 08:38:18] kameshj at fastmail dot fm Description: ------------ Function _php_mb_regex_ereg_replace_exec in php_mbregex.c returns RETVAL_STRINGL((char *)out_buf.c, out_buf.len - 1, 0); //At the end of the function 0 as the 3rd argument to RETVAL_STRINGL Macro does not duplicate the content and sets a retval zval same as out_buf.c. out_buf.c is allocated using malloc/realloc family not emalloc/erealloc. While zval_ptr_dtor is called on mb_reg_replace's retval, calls efree(which it should not.). Hence in the macro REMOVE_POINTER_FROM_LIST p->pLast->pNext = p->pNext; \ line causes a seg fault.(As p->pLast is null or some strange pointer not within the control of the running program) Patch for 5.0 tree is available here http://puggy.symonds.net/~kameshj/php_mbregex.c.patch Reproduce code: --------------- <?php echo mb_ereg_replace( ' ', '-', 'a b c d e' ); ?> Expected result: ---------------- a-b-c-d-e Actual result: -------------- Segfault ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=32950&edit=1
